DNSChanger malware shutdown affects few Canadians

FBI shuts down servers keeping malware-infected machines connected

An FBI illustration showing how a DNS server converts a domain name typed into the web browser on your home computer into a numerical address that allows your computer to find the corresponding website. (FBI.gov)

(Note: CBC does not endorse and is not responsible for the content of external links.)

Two of Canada's largest internet service providers, Bell Canada and Rogers Communications, say their customers were not significantly affected by Monday's shutdown of the temporary FBI-operated servers in the U.S. that had been keeping Canadian web users safely attached to the internet.

An estimated 10,000 Canadian internet users were said at one point to have fallen victim to the DNSChanger virus that had taken over computers worldwide.

But "from what I've been able to determine, Bell has received less than a dozen calls from customers today," Bell spokesman Albert Lee said in an email.

"Our IT security team continues to monitor the situation and exchange information with other providers, but we have not seen a significant impact."

Lee said the company estimates that 1,000 Bell customers were potentially affected by the shutdown of the temporary DNS servers that the FBI had been keeping in operation since November 2011 as part of Operation Ghost Click.

Rogers Communications said it had also had some calls about the DNSChanger virus on Monday but did not specify how many. Both companies said they had contacted customers who they thought could be affected in advance.

Less than 1 per cent of Canadian IP addresses affected

As of July 8, there were about 210,851 unique IP addresses worldwide still using the temporary servers, according to the DNSChanger Working Group, which had been helping the FBI monitor the temporary servers.

Of those, 41,557 were in the U.S. and 7,289 in Canada, with the latter accounting for only "a fraction of one per cent of all Canadian IP addresses," according to a spokesperson for Public Safety Canada, which has been working with the Cyber Incident Response Centre to inform the public about the issue.

Many of those who were surprised to find their home computers cut off from the internet Monday took to their mobile devices instead, posting messages of frustration and confusion on Twitter and Facebook.

The servers were part of the FBI's investigation into a cybercriminal group that had, between 2007 and 2011, rerouted more than four million computers in about 100 countries through a system of false DNS servers. The virus manipulated these computers, getting them to bypass their usual ISP connection so they could be directed to fraudulent websites that promoted fake products.

At the end of the investigation, the FBI contracted the non-profit Internet Systems Consortium to replace the rogue DNS servers with clean ones and keep them operating temporarily so that the infected computers connected to them would not lose internet access when the rogue servers were shut down.

The FBI said it did its best to identify which machines were infected with the virus and to inform the relevant ISPs, but that it was unable to trace all instances of the virus.

Those users who removed the virus from their computers had their normal internet connections restored, but those who didn't continued to be rerouted through the temporary servers instead of through their internet provider's servers — until July 9, when those temporary servers were disconnected.

The FBI arrested six Estonian nationals in connection with the DNSChanger scam, and they have been charged with several counts of wire fraud, computer intrusion, conspiracy and money laundering. A seventh person, of Russian origin, remains at large.

According to the FBI, the cybercriminals, who operated under the company name Rove Digital, earned about $14 million US off the sale of illegitimate products and advertising on the fraudulent websites they were directing victims to.

One example of a typical application of the DNS scam the FBI cited was a website selling fraudulent Apple software to which users would be directed when clicking on the link for the official website for iTunes.

Remove malware or reformat

Unfortunately, those who lost their internet connection Monday have little choice now but to take their machines to a computer expert and have the malware removed, since they won't be able to directly access the online services designed to detect or remove the virus.

Alternatively, affected users can use an uninfected machine to try to download some of the free DNSChanger virus scan and removal software compiled by the DNSChanger Working Group at www.dcwg.org/fix/ onto removable media, like a USB flash drive, and use that device to disinfect the compromised computer.

A more extreme course of action would be to back up important data and wipe the hard drive clean and reformat it — or have this done by a computer technician.

Those who choose this route should keep in mind that if they don't back up files to a separate drive, they'll lose them, because reformatting cleans out all the files on a drive. The operating system and applications will also need to be reinstalled after reformatting.

Check DNS settings

If you are having trouble accessing the internet and are reading this on another device, you can check whether your computer has been infected with DNSChanger by identifying your DNS settings and comparing them against the list of known rogue IP addresses listed on the FBI or Public Safety Canada websites.

According to those sites, if your IP address falls within one of the following groups, your computer is infected with the virus:

85.255.112.0 through 85.255.127.25

67.210.0.0 through 67.210.15.255

93.188.160.0 through 93.188.167.255

77.67.83.0 through 77.67.83.255

213.109.64.0 through 213.109.79.255

64.28.176.0 through 64.28.191.255

To find your DNS settings, Public Safety Canada recommends the following steps.

For Windows users:

Go to Start menu.

Select Run...

Type: cmd.exe [press ENTER].

Type in the black command window: ipconfig /all [press ENTER].

Search for the line that says "DNS Servers." Often, two or three IP addresses are listed.